{ "id": "0001cae3-c5b8-4607-a7ea-95d2d75500d8", "created_at": "2026-04-06T00:18:17.778872Z", "updated_at": "2026-04-10T03:38:01.692178Z", "deleted_at": null, "sha1_hash": "71083d94086c266f9a5ddb48deb74ab91308a85d", "title": "Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3908883, "plain_text": "Operation Soft Cell: A Worldwide Campaign Against\r\nTelecommunications Providers\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 12:38:41 UTC\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nResearch by: Mor Levi, Assaf Dahan, and Amit Serper\r\nEXECUTIVE SUMMARY\r\nIn 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global\r\ntelecommunications providers carried out by a threat actor using tools and techniques commonly associated with\r\nChinese-affiliated threat actors, such as APT10.  This multi-wave attacks focused on obtaining data of specific,\r\nhigh-value targets and resulted in a complete takeover of the network.\r\nContact us to chat with a Cybereason Defender about Operation Soft Cell.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 1 of 27\n\nKey Points\r\nEarlier this year, Cybereason identified an advanced, persistent attack targeting telecommunications providers that\r\nhas been underway for years, soon after deploying into the environment.\r\nCybereason spotted the attack and later supported the telecommunications provider through four more waves of\r\nthe advanced persistent attack over the course of 6 months.\r\nBased on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence\r\nsuggests even earlier activity by the threat actor against telecommunications providers.\r\nThe attack was aiming to obtain CDR records of a large telecommunications provider.\r\nThe threat actor was attempting to steal all data stored in the active directory, compromising every single\r\nusername and password in the organization, along with other personally identifiable information, billing data, call\r\ndetail records, credentials, email servers, geo-location of users, and more.\r\nThe tools and TTPs used are commonly associated with Chinese threat actors\r\nDuring the persistent attack, the attackers worked in waves- abandoning one thread of attack when it was detected\r\nand stopped, only to return months later with new tools and techniques.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 2 of 27\n\nSecurity Recommendations\r\nAdd an additional security layer for web servers. For example, use WAF (Web Application FW) to prevent trivial\r\nattacks on Internet-facing web servers.\r\nExpose as few systems or ports to the Internet as possible. Make sure that all web servers and web services that\r\nare exposed are patched.\r\nUse an EDR tool to give visibility and immediate response capabilities when high severity incidents are detected.\r\nProactively hunt in your environment for sensitive assets periodically.\r\nTable of Contents\r\nINTRODUCTION\r\nANATOMY OF THE ATTACK\r\nINITIAL COMPROMISE: THE MODIFIED CHINA CHOPPER WEB SHELL\r\nRECONNAISSANCE AND CREDENTIAL STEALING\r\nLATERAL MOVEMENT\r\nMAINTAINING A LONG-TERM FOOTHOLD AND STEALING DATA\r\nDATA EXFILTRATION\r\nUNDERSTANDING THE MOTIVE\r\nTHREAT INTEL RESEARCH\r\nMETHODOLOGY\r\nCONCLUSION\r\nINTRODUCTION to operation soft cell\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 3 of 27\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWatch Lior Div's keynote on the operation.\r\nIn 2018, 30% of the telecommunications providers reported sensitive customer information was stolen due to an\r\nattack. These telecommunications providers have been expanding in size, to the point where In the past thirteen\r\nyears, mobile cellular phone subscribers have quadrupled in size and sit at 8 billion subscribers today. Due to their\r\nwide availability and the fundamental service they bring, telecommunications providers have become critical\r\ninfrastructure for the majority of world powers.\r\nWatch the On-Demand Version of Our Operation Soft Cell Webinar\r\nMuch like telecommunication providers, many other critical infrastructure organizations provide a valuable targets\r\nfor nation state threat actors, due to their high impact. In studies, nearly a quarter of critical infrastructure\r\norganizations reported they had been hit by nation state attacks and 60% said disruptive cyber attacks are among\r\nthe threats they are most worried about.\r\nThreat actors, especially those at the level of nation state, are seeking opportunities to attack these organizations,\r\nconducting elaborate, advanced operations to gain leverage, seize strategic assets, and collect information. When\r\nsuccessful, these attacks often have huge implications.\r\nLast year, we identified a threat actor that has been operating in telecommunications provider environments for at\r\nleast two years. We performed a post-incident review of the attacks and were able to identify changes in the attack\r\npatterns along with new activity every quarter.\r\nThe threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific\r\nindividuals from various countries. This type of targeted cyber espionage is usually the work of nation state threat\r\nactors.\r\nWe’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state\r\nsponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 4 of 27\n\nactors, such as APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security\r\n(MSS).\r\nThe threat actor changed activity every quarter.\r\nThe attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers\r\ngathered information about the network and propagated across the network. The threat actor attempted to\r\ncompromise critical assets, such as database servers, billing servers, and the active directory. As malicious activity\r\nwas detected and remediated against, the threat actor stopped the attack.\r\nThe second wave of the attack hit several months later with similar infiltration attempts, along with a modified\r\nversion of the web shell and reconnaissance activities. A game of cat and mouse between the threat actor and the\r\ndefenders began, as they ceased and resumed their attack 2 more times in the span of a 4 month period.\r\nAnatomy of the Attack | Operation soft cell\r\nInitial Compromise: the Modified China Chopper Web Shell\r\nThe initial indicator of the attack was a malicious web shell that was detected on an IIS server, coming out of the\r\nw3wp.exe process. An investigation of the web shell, later classified as a modified version of the China Chopper\r\nweb shell, uncovered several attack phases and TTPs. The threat actor was able to leverage the web shell to run\r\nreconnaissance commands, steal credentials, and deploy other tools.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 5 of 27\n\nMalicious web shell activity as observed in the Cybereason solution. Commands executed via a modified version\r\nof the China Chopper web shell.\r\nChina Chopper is a web shell first discovered in 2012 that is commonly used by malicious Chinese actors. It is\r\nused to remotely control web servers, and has been used in many attacks against Australian web hosting providers.\r\nThe web shell parameters in this attack match to the China Chopper parameters, as described in FireEye’s analysis\r\nof China Chopper. This tool has been used by several Chinese-affiliated threat actors, such as APT 27 and APT 40.\r\nIt is important to note that this tool is widely available and can be used by other threat actors.\r\nReconnaissance and Credential Stealing\r\nThe threat actor launched a series of reconnaissance commands to try to obtain and enumerate information about\r\nthe compromised machine, network architecture, users, and active directory enumeration.\r\nExample 1: Reconnaissance Commands\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 6 of 27\n\nExample 2: Reconnaissance Commands\r\nModified “nbtscan”\r\nOne of the reconnaissance commands was to run a modified nbtscan tool (\"NetBIOS nameserver scanner\") to\r\nidentify available NetBIOS name servers locally or over the network. Nbtscan has been used by APT10 in\r\nOperation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest. It\r\nis also capable of identifying system information.\r\nNetBIOS Scanner execution as seen in the Cybereason solution.\r\nNetBIOS scanner is set to scan an internal IP range.\r\nModified Mimikatz\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 7 of 27\n\nFollowing the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised\r\nmachines. The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps\r\nNTLM hashes. This version of mimikatz did not require any command line arguments, most likely in an attempt\r\nto avoid detection based on command-line auditing. The dumped hashes were used to authenticate to other\r\nmachines via pass the hash. We renamed this sample to maybemimi.exe.\r\nModified Mimikatz that dumps NTLM hashes.\r\nReverse engineering shows the similarity between maybemimi.exe and mimikatz.\r\nMimikatz code from GitHub.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 8 of 27\n\nmaybemimi strings.\r\nDumping the SAM Hive from the Registry\r\nIn order to obtain credentials, the threat actor used another technique that can be seen in the below screenshots.\r\nThey dumped specific hives from the Windows Registry, such as the SAM hive, which contains password hashes.\r\nReg.exe is being spawned from a\r\nshell process.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 9 of 27\n\nCommand-line arguments indicate SAM hive dumping.\r\nLateral Movement\r\nOnce the threat actor mapped the network and obtained credentials (through net use), they began to move laterally.\r\nThey were able to compromise critical assets including production servers and database servers, and they even\r\nmanaged to gain full control of the Domain Controller. The threat actor relied on WMI and PsExec to move\r\nlaterally and install their tools across multiple assets.\r\nThe following example demonstrates how the threat actor moved laterally from the first machine, compromised\r\nby the modified version of the China Chopper web shell, to other machines inside the network.\r\n/c cd /d \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\\"\u0026wmic /node:\r\n[REDACTED] /user:\"[REDACTED]\" /password:\"[REDACTED]\" process call create a.bat\u0026echo [S]\u0026cd\u0026echo\r\n[E]\r\nWMI command used by the threat actor to move laterally.\r\nMaintaining a Long-term Foothold and Stealing Data\r\nThe threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they\r\nthen used to take malicious action. By creating these accounts, they ensured they would maintain access between\r\ndifferent waves of the attack. Once the threat actor regains their foothold, they already have access to a high-privileged domain user account. This significantly reduces the “noise” of having to use credential dumpers\r\nrepeatedly, which helped them evade detection.\r\nPoisonIvy\r\nA second method the threat actor used to maintain access across the compromised assets was through the\r\ndeployment of the PoisonIvy RAT (PIVY). This infamous RAT has been associated with many different Chinese\r\nthreat actors, including APT10, APT1, and DragonOK. It is a powerful, multi-featured RAT that lets a threat actor\r\ntake total control over a machine. Among its most notable features are:\r\nRegistry Editor\r\nScreenshot Grabber\r\nCredential Stealer\r\nInteractive Shell\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 10 of 27\n\nFile Manager with Upload and Download Support\r\nProcess Monitor\r\nKeylogging and Various other Surveillance Features\r\nThe control panel for PoisonIvy. Courtesy of Sam Bowne - samsclass.info\r\nWe assume the threat actor used PoisonIvy for keylogging and other surveillance features, as they had that\r\nfunctionality available to them as shown in the screenshot above. \r\nThe strain of PIVY in this attack used a DLL side-loading technique to stealthily load itself into memory. To\r\naccomplish this, it exploited a trusted and signed application. The PIVY payload was dropped along with the\r\ntrusted and signed Samsung tool (RunHelp.exe) in the following manner:\r\n1. 1. 1. A nullsoft installer package (NSIS) was created with a legitimate, signed Samsung tool in it.\r\n2. Once executed, the installer script within the NSIS package extracted the Samsung tool and\r\nadded a fake DLL with the same name as a legitimate DLL (ssMUIDLL.dll), which is\r\nrequired by the application.\r\n3. The DLL contains a PIVY stager, which is then loaded by the Samsung tool.\r\n4. After the fake DLL was loaded by the Samsung tool, it decrypted a blob payload in the same\r\nfolder, which contains the actual PIVY payload.\r\n5. It was able to achieve persistence by creating a rogue scheduled task.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 11 of 27\n\nPost-persistence execution of PIVY, side-loaded into a legitimate Samsung application.\r\nPIVY’s use of DLL side-loading to abuse Samsung tools is not new, and has been reported previously by Palo\r\nAlto. In 2016 it was used to attack pro-democratic activists in Hong Kong, most probably by Chinese threat\r\nactors.\r\n⚠️ Note: Our team has reached out to and advised the targeted organizations on active containment\r\nactions.\r\nSecondary Web Shells\r\nIn later stages of the attack, the threat actor deployed two other custom-built web shells. From these web shells,\r\nthey launched reconnaissance commands, stole data, and dropped additional tools including portqry.exe, renamed\r\ncmd.exe, winrar, and the notorious hTran.\r\nReconnaissance and lateral movement commands launched from the secondary web shell.\r\nData Exfiltration\r\nThe threat actor exfiltrated stolen data using multiple different channels including web shells and hTran.\r\nCompressing the Stolen Data\r\nIn an attempt to hide the contents of the stolen data, the threat actor used winrar to compress and password-protect\r\nit. The winrar binaries and compressed data were found mostly in the Recycle Bin folder, a TTP that was\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 12 of 27\n\npreviously observed in APT10-related attacks, as well as others. This threat actor is known to stage the data in\r\nmulti-part archives before exfiltration.\r\nThe threat actor used the following commands to compress the data.\r\nrar.exe a -k -r -s -m1 -[password] [REDACTED].rar [REDACTED].temp\r\nrar.exe a -k -r -s -m1 -[password] [REDACTED].rar [REDACTED].csv\r\nrar a -r -[password] [REDACTED].rar sam system ntds.dit\r\nCompressed stolen data exfiltrated via web shell.\r\nThe contents of the compressed data was crucial in understanding the threat actor’s motivation for the attack, as\r\nwell as what type of information they were after.\r\nhTran\r\nIn order to exfiltrate data from a network segment not connected to the Internet, the threat actor deployed a\r\nmodified version of hTran. This ‘connection bouncer’ tool lets the threat actor redirect ports and connections\r\nbetween different networks and obfuscate C2 server traffic. There have been numerous reports of hTran being\r\nused by different Chinese threat actors, including: APT3, APT27 and DragonOK.\r\nThe threat actor made some modifications to the original source code of hTran. Many strings, including the debug\r\nmessages, were intentionally changed and obfuscated in an attempt to evade detection and thwart efforts to\r\nidentify the malware by antivirus and researchers.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 13 of 27\n\nObfuscated debug messages.\r\nSince the original source code for hTran is publicly available, we were able to compare the debug output to the\r\noriginal source code to show that it has indeed been modified.\r\nIdentifying modifications in a disassembly of the modified hTran.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 14 of 27\n\nprintf is being called (dubbed by us as “looks_like_printf”) with output “C e.”. By looking at the original source\r\ncode, we were able to identify that this is supposed to be “Connect error”.\r\nA section of the source code for hTran.\r\nUnderstanding the Motive\r\nWhen you think of large breaches to big organizations, the first thing that comes to mind is usually payment data.\r\nAn organization that provides services to a large customer base has a lot of credit card data, bank account\r\ninformation, and more personal data on its systems. These attacks are usually conducted by a cybercrime group\r\nlooking to make money.\r\nIn contrast, when a nation state threat actor is attacking a big organization, the end goal is typically not financial,\r\nbut rather intellectual property or sensitive information about their clients.\r\nOne of the most valuable pieces of data that telecommunications providers hold is Call Detail Records (CDRs).\r\nCDRs are a large subset of metadata that contains all details about calls, including:\r\nSource, Destination, and Duration of a Call\r\nDevice Details\r\nPhysical Location\r\nDevice Vendor and Version\r\nFor a nation state threat actor, obtaining access to this data gives them intimate knowledge of any individuals they\r\nwish to target on that network. It lets them answer questions like:\r\nWho are the individuals talking to?\r\nWhich devices are the individuals using?\r\nWhere are the individuals traveling?\r\nHaving this information becomes particularly valuable when nation-state threat actors are targeting foreign\r\nintelligence agents, politicians, opposition candidates in an election, or even law enforcement.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 15 of 27\n\nExample 1: CDR Data\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 16 of 27\n\nExample 2: CDR Data\r\nExample 3: CDR Data\r\nBeyond targeting individual users, this attack is also alarming because of the threat posed by the control of a\r\ntelecommunications provider. Telecommunications has become critical infrastructure for the majority of world\r\npowers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however\r\nthey want passively and also actively work to sabotage the network.\r\nThis attack has widespread implications, not just for individuals, but also for organizations and countries alike.\r\nThe use of specific tools and the choice to hide ongoing operations for years points to a nation state threat actor,\r\nmost likely China. This is another form of cyber warfare being used to establish a foothold and gather information\r\nundercover until they are ready to strike.\r\nWant to learn about post-incident review? Read about post-incident review.\r\nThreat Intel Research\r\nThe following sections detail the methodology and work process used to piece together the various stages and\r\ncomponents of the attack. This work enabled us to not only reconstruct these attacks, but also to find additional\r\nartifacts and information regarding the threat actor and its operations.\r\nMethodology\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 17 of 27\n\nStep 1: Creating and Maintaining an IOC Inventory\r\nThe first step in this process was to create a comprehensive list of indicators of compromise (IOCs) observed\r\nthroughout the different stages of the attack. This list included various indicators, such as file hashes, domains, IP\r\naddresses, file names, and registry/service names. In addition to this, our reverse engineers were able to extract\r\nfurther IOCs from the collected samples, which have also been added to the list.\r\nThe list of IOCs was periodically updated and fed back into our threat intel engine as more were discovered.\r\nStep 2: Hunting for Known Evil\r\nEquipped with an ever-growing list of known IOCs, our team set out to hunt for “low-hanging fruit” across\r\nmultiple environments. This step was done by using both internal sources, such as the Cybereason solution, as\r\nwell as hunting for indicators in the wild.\r\nThe hunt for “known evil” yielded interesting results that helped uncover additional compromised assets as well\r\nas more parts of the attack infrastructure.\r\nStep 3: Threat Actor’s Arsenal\r\nPerhaps one of the most interesting steps involved identifying and analyzing the tools the threat actor used\r\nthroughout the attack. The combination of the preference of tools, sequence of use, and specifically how they are\r\nused during the attack says a lot about a threat actor, especially when it comes to attribution.\r\nOne of the more notable aspects was how the threat actor used mostly known tools that were customized for this\r\nspecific attack. Each tool was customized differently, and included re-writing the code, stripping debug symbols,\r\nstring obfuscation, and embedding the victim’s specific information within the tools’ configuration.\r\nHowever, the threat actor also used tools we were not able to attribute to any known tool. These tools were used in\r\nthe later stages of the attack, once the operation was already discovered. This was most likely to decrease the risk\r\nof exposure or attribution.\r\nFinally, the payloads were almost never repeated. The threat actor made sure that each payload had a unique hash,\r\nand some payloads were packed using different types of packers, both known and custom.\r\nThe main tools these attacks had in common are:\r\n1. Web Shells\r\nA modified version of the China Chopper web shell was used for initial compromise.\r\nCustom-built web shells were used for later phases of the attack.\r\n2. Reconnaissance Tools\r\nA modified version of Nbtscan was used to identify available NetBIOS name servers locally or over\r\nthe network.\r\nMultiple Windows built-in tools were used for various tasks, including whoami, net.exe, ipconfig,\r\nnetstat, portqry, and more.\r\nWMI and PowerShell commands were used for various tasks.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 18 of 27\n\n3. RAT\r\nPoisonIvy was used to maintain access across the compromised assets.\r\nPlugX was used in some of the instances that we're aware of.\r\n4. Credential Dumpers\r\nA modified version of Mimikatz was used to dump credentials stored on the compromised\r\nmachines.\r\nA PowerShell-based Mimikatz was also used to dump credentials stored on the compromised\r\nmachines.\r\n5. Lateral movement\r\nWMI was used for lateral movement.\r\nPsExec was also used for lateral movement.\r\n6. Connection Proxy\r\nA modified version of hTran was used to exfiltrate stolen data.\r\n7. Compression tool\r\nWinrar was used to compress and password-protect stolen data.\r\nStep 4: Creating a TTP-based Behavioral Profile\r\nOne of the key components of threat hunting is to create a TTP-based behavioral profile of the threat actor in\r\nquestion. Malware payloads and operational infrastructure can be quickly changed or replaced over time, and as\r\nsuch, the task of tracking a threat actor can become quite difficult.\r\nFor that reason, it is crucial to profile the threat actor and study its behavior, the tools it uses, and its techniques.\r\nThese behavioral-based TTPs are less likely to change drastically, and are\\ key factors of any threat hunt or\r\nattribution efforts.\r\nThe Cybereason solution is compatible with the MITRE ATT\u0026CK framework, which made it easy to keep track\r\nof the observed TTPs and correlate the data with known threat actors.\r\nThe following chart reflects the behavioral profile of the threat actor based on the most frequently observed\r\ntechniques used throughout these attacks.\r\nMITRE ATT\u0026CK Techniques Breakdown\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nExploit Public-Facing\r\nApplication\r\nCommand-line\r\ninterface\r\nWeb Shell\r\nValid\r\nAccounts\r\nDLL-side\r\nLoading\r\nCredential\r\nDumping\r\n \r\nWindows\r\nManagement\r\nInstrumentation\r\nCreate\r\nAccount\r\nWeb Shell\r\nIndicator\r\nRemoval from\r\nTools\r\n \r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 19 of 27\n\nPowerShell    \r\nObfuscated Files\r\nor Information\r\n \r\n        Masquerading  \r\nDiscovery\r\nLateral\r\nMovement\r\nCollection\r\nCommand\r\nand Control\r\nExfiltration Impact\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nWindows\r\nAdmin Shares\r\nData From\r\nLocal System\r\nRemote File\r\nCopy\r\nData Compressed  \r\nRemote System\r\nDiscovery\r\nPass the Hash Data Staged\r\nConnection\r\nProxy\r\nExfiltration Over\r\nCommand and\r\nControl Channel\r\n \r\nAccount Discovery\r\nRemote File\r\nCopy\r\nInput Capture      \r\nPermission Groups\r\nDiscovery\r\n         \r\nStep 5: Mapping out the Infrastructure and Operational Activity\r\nReconstructing the Infrastructure\r\nIn order to make sense of all the data, we fed it into multiple threat intelligence sources, including our own and\r\nthird parties.\r\n⚠️ Note: Since we cannot share any IOCs, we will refer to file hashes, hostnames, IP addresses and other\r\nIOCs as generic placeholders.\r\nHostname1 is the hostname that was used for the C2 server targeting the telecommunications providers.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 20 of 27\n\nHostname1 connected to multiple tools.\r\nIn analyzing the files, it is clear they are all contacting the same host hostname1. hostname1 was the C2 server\r\nthat the malware and web shells connected to.\r\nOnce we determined the hashes in the scope of the attack were only connecting to hostname1, which is a dynamic\r\nDNS hostname, we looked to see if we could find more information about the C2 server.\r\nA simple WHOIS query revealed that the IP address was registered to a colocation hosting company in Asia,\r\nthough there was no other publicly available information about this IP address.\r\nBy querying all of our threat intel resources about this IP address, we discovered that it was associated with\r\nmultiple dynamic DNS hostnames.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 21 of 27\n\nMultiple dynamic DNS hostnames.\r\nWe were unable to find indications of connections to Dynamic.DNS2 and Dynamic.DNS3. However, they were\r\nregistered and associated with IP.Address1.\r\nFor the other dynamic DNS hosts, we leveraged various threat intel repositories and crafted queries that searched\r\nfor executables with these IP addresses and hostnames in their string table. One of the queries returned a few\r\nDLLs with identical names to the DLL we had initially investigated. However, the hashes were different. After\r\nobtaining the found DLLs, we patched them back into the NSIS installer and detonated the samples in our testing\r\nenvironment. Dynamic analysis of the newly obtained DLLs revealed a new set of domains and IP addresses that\r\nwere completely different. These domains were actually related to different telecommunications providers.\r\n⚠️ Note: Cybereason immediately reached out to those telecommunications providers and provided them\r\nall of the necessary information to handle the incident internally.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 22 of 27\n\nStrings from the dumped memory section of the injected shellcode. We can see many details about the attack\r\nincluding domains and C2 server IP addresses.\r\nShellcode being unpacked and injected into a remote process. The redacted segments contain the name of the\r\ncustomer, C2 IP addresses, and domains.\r\nInfrastructure Operational Security\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 23 of 27\n\nThe threat actor’s infrastructure.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 24 of 27\n\nThe threat actor had a specific pattern of behavior that allowed us to understand their modus operandi: they used\r\none server with the same IP address for multiple operations. This server is a key component in their ‘non-attributable’ infrastructure.\r\nThe threat actor separated operations by using different hostnames per operation, though they are hosted on the\r\nsame server and IP address. The domains and server registration information pointed to three main countries:\r\nChina, Hong Kong, and Taiwan.\r\nThis is cheap and efficient for the threat actor, but is almost transparent for a seasoned researcher with access to\r\nthe right threat intelligence tools. There are previous reports of threat actors including APT10 and APT1 using\r\ndynamic DNS.\r\nMonitoring this infrastructure gave us information about if and when the threat actor was starting new waves of\r\nthe attack or additional attacks on other providers.\r\nWhen researching C2 servers, it is important to watch for:\r\nAssociation with domains, especially if they are dynamic DNS domains.\r\nFile hashes that are associated with the IP address or the domain of the C2 server.\r\nStatic information and metadata from associated samples that could be used to broaden the search after additional\r\ninformation is gathered.\r\nThis demonstrates the importance of proper operational security and a separation between tools and operations for\r\nthreat actors.\r\nStep 6: Rounding Up Immediate/Potential Suspects\r\nAttribution is a fickle and delicate art. In most cases, it is very difficult to achieve 100% certainty when attributing\r\nan attack to a specific threat actor. It can be tempting to attribute an attack to a certain threat actor whenever\r\ncertain tools-of-the-trade, IP addresses, strings, or “indicative” techniques are observed.\r\nHowever, it is important to bear in mind that the aforementioned data points are often prone to manipulation and\r\nreuse across different threat actors. Further, they are not impervious to psychological warfare, as in, trying to “pin”\r\nan operation on a different threat actor to avoid proper attribution.\r\nIn order to increase the certainty level when attributing to a specific threat actor, we took the following aspects of\r\nthe attacks into consideration: \r\nIndicators of Compromise\r\nTTPs (Tactics, Techniques and Procedures)\r\nThreat actor's tools\r\nMotive behind the attacks\r\nRegional and industry considerations\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 25 of 27\n\nCarefully examining each of the different aspects plays an important role in avoiding misattribution. This model\r\noffers a more balanced interpretation of the data that is based on a myriad of components. By performing a\r\ncontextualized review of the data, you are able to yield a more wholesome result with greater certainty.\r\nWhen it comes to attributing Operation Soft Cell, we are unable to achieve 100% certainty with regard to the\r\nidentity of the threat actor. However, based on our interpretation of the data, we conclude with a high level of\r\ncertainty that:\r\nThe threat actor behind Operation Soft Cell is likely state-sponsored.\r\nThe threat actor is affiliated with China.\r\nAfter following the above attribution model and carefully reviewing the data, we are able to narrow down the\r\nsuspect list to three known APT groups, all of which are known to be linked to China- APT10, APT27, and\r\nDragonOK.\r\nHaving found multiple similarities to previous attacks, it is our estimation that the threat actor behind these attacks\r\nis likely linked to APT10, or at the very least, to a threat actor that shares tools, techniques, motive and\r\ninfrastructural preferences with those of APT10.\r\nWhile we cannot completely rule out a “copy-cat” scenario, where another threat actor might masquerade as\r\nAPT10 to thwart attribution efforts, we find this option to be less likely in light of our analysis of the data.\r\nConclusion\r\nIn this blog, we have described an ongoing global attack against telecommunications providers that has been\r\nactive since at least 2017. The threat actor managed to infiltrate into the deepest segments of the providers’\r\nnetwork, including some isolated from the internet, as well as compromise critical assets. Our investigation\r\nshowed that these attacks were targeted, and that the threat actor sought to steal communications data of specific\r\nindividuals in various countries.\r\nThroughout this investigation, we have uncovered the infrastructure that facilitated the malicious operations taken\r\nby this threat actor. The data exfiltrated by this threat actor, in conjunction with the TTPs and tools used, allowed\r\nus to determine with a very high probability that the threat actor behind these malicious operations is backed by\r\na nation state, and is affiliated with China. Our contextualized interpretation of the data suggests that the threat\r\nactor is likely APT10, or at the very least, a threat actor that shares, or wishes to emulate its methods by using the\r\nsame tools, techniques, and motives.\r\nIt’s important to keep in mind that even though the attacks targeted specific individuals, any entity that possesses\r\nthe power to take over the networks of telecommunications providers can potentially leverage its unlawful access\r\nand control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare\r\noperation.\r\nDue to multiple and various limitations, we cannot disclose all the information we have gathered on the attack in\r\nthis report. Our team will continue to monitor and track the threat actor’s activity in order to identify more tools\r\nand compromised organizations.\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 26 of 27\n\nWatch the Operation Soft Cell Webinar On-Demand.\r\nClosing Notes: This research, which is still ongoing, has been a huge effort for the entire Cybereason Nocturnus\r\nteam. Special thanks goes to Niv Yona, Noa Pinkas, Josh Trombley, Jakes Jansen, and every single member\r\nof the Nocturnus team for the countless hours and effort that were put into this research. We will continue to\r\nmonitor and update our blog with more information once available and as our investigation progresses.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nhttps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" ], "report_names": [ "operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434697, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71083d94086c266f9a5ddb48deb74ab91308a85d.pdf", "text": "https://archive.orkl.eu/71083d94086c266f9a5ddb48deb74ab91308a85d.txt", "img": "https://archive.orkl.eu/71083d94086c266f9a5ddb48deb74ab91308a85d.jpg" } }